Issue 907186 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	xiaoche...@chromium.org
Closed:	Nov 26
Cc:	yosin@chromium.org editing-dev@chromium.org
Components:	Blink>Editing
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

[LayoutNG] Crash during prepaint walk (for selection?) in gmail.

Project Member Reported by ikilpatrick@chromium.org, Nov 20

Issue description

See stack trace, if you need more information, let me know. But reproduces reliably when selecting over (some?) links.

Received signal 11 SEGV_MAPERR 000000000078
0   libbase.dylib                       0x00000001042ddda3 base::debug::StackTrace::StackTrace(unsigned long) + 83
1   libbase.dylib                       0x00000001042dde5d base::debug::StackTrace::StackTrace(unsigned long) + 29
2   libbase.dylib                       0x0000000103fcbc0a base::debug::StackTrace::StackTrace() + 26
3   libbase.dylib                       0x00000001042ddbf1 base::debug::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, void*) + 1393
4   libsystem_platform.dylib            0x00007fff65c13f5a _sigtramp + 26
5   libblink_core.dylib                 0x0000000143d8f835 WTF::Vector<blink::NGInlineItem, 0u, WTF::PartitionAllocator>::data() const + 21
6   libblink_core.dylib                 0x0000000142ff0a43 blink::IsBeforeSoftLineBreak(blink::NGPaintFragment const&) + 563
7   libblink_core.dylib                 0x0000000142ff05a3 blink::LayoutSelection::ComputeSelectionStatus(blink::NGPaintFragment const&) const + 1139
8   libblink_core.dylib                 0x0000000142fb20ea blink::FrameSelection::ComputeLayoutSelectionStatus(blink::NGPaintFragment const&) const + 58
9   libblink_core.dylib                 0x000000014416a4d8 blink::ComputeFragmentLocalSelectionRect(blink::NGPaintFragment const&) + 136
10  libblink_core.dylib                 0x000000014416947d blink::PaintInvalidator::UpdateVisualRect(blink::LayoutObject const&, blink::FragmentData&, blink::PaintInvalidatorContext&) + 877
11  libblink_core.dylib                 0x00000001441684f1 blink::PaintInvalidator::InvalidatePaint(blink::LayoutObject const&, blink::PaintPropertyTreeBuilderContext const*, blink::PaintInvalidatorContext&) + 1313
12  libblink_core.dylib                 0x00000001441e255d blink::PrePaintTreeWalk::WalkInternal(blink::LayoutObject const&, blink::PrePaintTreeWalk::PrePaintTreeWalkContext&) + 285
13  libblink_core.dylib                 0x00000001441e15fa blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 618
14  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
15  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
16  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
17  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
18  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
19  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
20  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
21  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
22  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
23  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
24  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
25  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
26  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
27  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
28  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
29  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
30  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
31  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
32  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
33  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
34  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
35  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
36  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
37  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
38  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
39  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
40  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
41  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
42  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
43  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
44  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
45  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
46  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
47  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
48  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
49  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
50  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
51  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
52  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
53  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
54  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
55  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
56  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
57  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
58  libblink_core.dylib                 0x00000001441e1665 blink::PrePaintTreeWalk::Walk(blink::LayoutObject const&) + 725
59  libblink_core.dylib                 0x00000001441e0c86 blink::PrePaintTreeWalk::Walk(blink::LocalFrameView&) + 902
60  libblink_core.dylib                 0x00000001441e0352 blink::PrePaintTreeWalk::WalkTree(blink::LocalFrameView&) + 642
61  libblink_core.dylib                 0x000000014336b5d6 blink::LocalFrameView::RunPrePaintLifecyclePhase(blink::DocumentLifecycle::LifecycleState) + 390
62  libblink_core.dylib                 0x000000014336a873 blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) + 835
63  libblink_core.dylib                 0x000000014336944c blink::LocalFrameView::UpdateLifecyclePhases(blink::DocumentLifecycle::LifecycleState) + 972
64  libblink_core.dylib                 0x00000001433696f2 blink::LocalFrameView::UpdateAllLifecyclePhasesExceptPaint() + 50
65  libblink_core.dylib                 0x0000000143cdaa6a blink::LayoutView::HitTest(blink::HitTestLocation const&, blink::HitTestResult&) + 58
66  libblink_core.dylib                 0x0000000143045973 blink::SelectionController::UpdateSelectionForMouseDrag(blink::LayoutPoint const&, blink::LayoutPoint const&) + 259
67  libblink_core.dylib                 0x00000001437d3ae9 blink::MouseEventManager::UpdateSelectionForMouseDrag() + 121
68  libblink_core.dylib                 0x00000001437b8a44 blink::EventHandler::UpdateSelectionForMouseDrag() + 36
69  libblink_core.dylib                 0x0000000143ffd15d blink::AutoscrollController::Animate() + 541
70  libblink_core.dylib                 0x00000001440527df blink::PageWidgetDelegate::Animate(blink::Page&, base::TimeTicks) + 47
71  libblink_core.dylib                 0x00000001431a5f63 blink::WebViewImpl::BeginFrame(base::TimeTicks) + 547
72  libblink_core.dylib                 0x000000014345aff2 blink::WebViewFrameWidget::BeginFrame(base::TimeTicks) + 66
73  libcontent.dylib                    0x00000001154aaea8 content::RenderWidget::BeginMainFrame(base::TimeTicks) + 168
74  libcontent.dylib                    0x0000000114f90bc8 content::LayerTreeView::BeginMainFrame(viz::BeginFrameArgs const&) + 104
75  libcc.dylib                         0x000000012c01d79d cc::LayerTreeHost::BeginMainFrame(viz::BeginFrameArgs const&) + 45
76  libcc.dylib                         0x000000012c13b7fb cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) + 1755
77  libcc.dylib                         0x000000012c137f52 void base::internal::FunctorTraits<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), void>::Invoke<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > >(void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>&&, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >&&) + 178
78  libcc.dylib                         0x000000012c137dff void base::internal::InvokeHelper<true, void>::MakeItSo<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > >(void (cc::ProxyMain::*&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>&&, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >&&) + 127
79  libcc.dylib                         0x000000012c137d26 void base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunImpl<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, 0ul, 1ul>(void (cc::ProxyMain::*&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 118
80  libcc.dylib                         0x000000012c137bfe base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunOnce(base::internal::BindStateBase*) + 62
81  libbase.dylib                       0x0000000103f8dafc base::OnceCallback<void ()>::Run() && + 92
82  libbase.dylib                       0x0000000103fcd229 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 729
83  libbase.dylib                       0x00000001041b81a1 base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) + 1409
84  libbase.dylib                       0x00000001041bb3a6 void base::internal::FunctorTraits<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), void>::Invoke<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> const&, base::sequence_manager::internal::ThreadControllerImpl::WorkType const&>(void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> const&&&, base::sequence_manager::internal::ThreadControllerImpl::WorkType const&&&) + 150
85  libbase.dylib                       0x00000001041bb23f void base::internal::InvokeHelper<true, void>::MakeItSo<void (base::sequence_manager::internal::ThreadControllerImpl::* const&)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> const&, base::sequence_manager::internal::ThreadControllerImpl::WorkType const&>(void (base::sequence_manager::internal::ThreadControllerImpl::* const&&&)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> const&&&, base::sequence_manager::internal::ThreadControllerImpl::WorkType const&&&) + 127
86  libbase.dylib                       0x00000001041bb1b3 void base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>, base::sequence_manager::internal::ThreadControllerImpl::WorkType>, void ()>::RunImpl<void (base::sequence_manager::internal::ThreadControllerImpl::* const&)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), std::__1::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>, base::sequence_manager::internal::ThreadControllerImpl::WorkType> const&, 0ul, 1ul>(void (base::sequence_manager::internal::ThreadControllerImpl::* const&&&)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), std::__1::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>, base::sequence_manager::internal::ThreadControllerImpl::WorkType> const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 99
87  libbase.dylib                       0x00000001041bb08c base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType), base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>, base::sequence_manager::internal::ThreadControllerImpl::WorkType>, void ()>::Run(base::internal::BindStateBase*) + 44
88  libbase.dylib                       0x0000000103f8dafc base::OnceCallback<void ()>::Run() && + 92
89  libbase.dylib                       0x0000000103fcd229 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 729
90  libbase.dylib                       0x0000000104057bfc base::MessageLoopImpl::RunTask(base::PendingTask*) + 796
91  libbase.dylib                       0x0000000104057fe9 base::MessageLoopImpl::DeferOrRunPendingTask(base::PendingTask) + 89
92  libbase.dylib                       0x0000000104058a97 base::MessageLoopImpl::DoWork() + 455
93  libbase.dylib                       0x0000000104063852 base::MessagePumpCFRunLoopBase::RunWork() + 98
94  libbase.dylib                       0x00000001040637dc ___ZN4base24MessagePumpCFRunLoopBase13RunWorkSourceEPv_block_invoke + 28
95  libbase.dylib                       0x00000001040180fa base::mac::CallWithEHFrame(void () block_pointer) + 10
96  libbase.dylib                       0x0000000104062be5 base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 101
97  CoreFoundation                      0x00007fff3da008f1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
98  CoreFoundation                      0x00007fff3daba30c __CFRunLoopDoSource0 + 108
99  CoreFoundation                      0x00007fff3d9e3350 __CFRunLoopDoSources0 + 208
100 CoreFoundation                      0x00007fff3d9e27cd __CFRunLoopRun + 1293
101 CoreFoundation                      0x00007fff3d9e2033 CFRunLoopRunSpecific + 483
102 Foundation                          0x00007fff3fadfe76 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 277
103 libbase.dylib                       0x0000000104064349 base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) + 185
104 libbase.dylib                       0x00000001040623b5 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 101
105 libbase.dylib                       0x0000000104057460 base::MessageLoopImpl::Run(bool) + 512
106 libbase.dylib                       0x00000001041068fd base::RunLoop::Run() + 525
107 libcontent.dylib                    0x00000001154ebdeb content::RendererMain(content::MainFunctionParams const&) + 1659
108 libcontent.dylib                    0x00000001157cfd81 content::RunOtherNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) + 177
109 libcontent.dylib                    0x00000001157d0fb5 content::ContentMainRunnerImpl::Run(bool) + 1285
110 libcontent.dylib                    0x00000001157cd729 content::ContentServiceManagerMainDelegate::RunEmbedderProcess() + 57
111 libembedder.dylib                   0x00000001795e9917 service_manager::Main(service_manager::MainParams const&) + 1607
112 libcontent.dylib                    0x00000001157cfbc9 content::ContentMain(content::ContentMainParams const&) + 89
113 Content Shell Framework             0x0000000109b012ae ContentMain + 286
114 Content Shell Helper                0x00000001039d6b60 main + 848
115 libdyld.dylib                       0x00007fff65905015 start + 1

Comment 1 by ikilpatrick@chromium.org, Nov 20

shape_result appears to be null for some reason?

(lldb) bt 10
* thread #27, name = 'Chrome_InProcRendererThread', stop reason = EXC_BAD_ACCESS (code=1, address=0x78)
  * frame #0: 0x0000000141388c5c libblink_core.dylib`blink::ShapeResultView::Direction(this=0x0000000000000000) const at shape_result_view.h:99
    frame #1: 0x0000000141385a43 libblink_core.dylib`blink::IsBeforeSoftLineBreak(fragment=0x0000002df87619f0) at layout_selection.cc:591
    frame #2: 0x00000001413855a3 libblink_core.dylib`blink::LayoutSelection::ComputeSelectionStatus(this=0x0000004fd0ba1ba8, fragment=0x0000002df87619f0) const at layout_selection.cc:724
    frame #3: 0x00000001413470ea libblink_core.dylib`blink::FrameSelection::ComputeLayoutSelectionStatus(this=0x0000004e5b161b48, text_fragment=0x0000002df87619f0) const at frame_selection.cc:1234
    frame #4: 0x00000001424ff4d8 libblink_core.dylib`blink::ComputeFragmentLocalSelectionRect(fragment=0x0000002df87619f0) at paint_invalidator.cc:170
    frame #5: 0x00000001424fe47d libblink_core.dylib`blink::PaintInvalidator::UpdateVisualRect(this=0x000070000d2a6470, object=0x0000001ca2449530, fragment_data=0x0000001ca2449588, context=0x0000002c7580e720) at paint_invalidator.cc:336
    frame #6: 0x00000001424fd4f1 libblink_core.dylib`blink::PaintInvalidator::InvalidatePaint(this=0x000070000d2a6470, object=0x0000001ca2449530, tree_builder_context=0x0000002c7580e5f0, context=0x0000002c7580e720) at paint_invalidator.cc:482
    frame #7: 0x000000014257755d libblink_core.dylib`blink::PrePaintTreeWalk::WalkInternal(this=0x000070000d2a6470, object=0x0000001ca2449530, context=0x0000002c7580e5e8) at pre_paint_tree_walk.cc:342
    frame #8: 0x00000001425765fa libblink_core.dylib`blink::PrePaintTreeWalk::Walk(this=0x000070000d2a6470, object=0x0000001ca2449530) at pre_paint_tree_walk.cc:430
    frame #9: 0x0000000142576665 libblink_core.dylib`blink::PrePaintTreeWalk::Walk(this=0x000070000d2a6470, object=0x0000001ca2646a50) at pre_paint_tree_walk.cc:438
(lldb) f 1
frame #1: 0x0000000141385a43 libblink_core.dylib`blink::IsBeforeSoftLineBreak(fragment=0x0000002df87619f0) at layout_selection.cc:591
   588 	  // paint/selection/text-selection-newline-mixed-ltr-rtl.html.
   589 	  const ShapeResultView* shape_result =
   590 	      ToNGPhysicalTextFragment(fragment.PhysicalFragment()).TextShapeResult();
-> 591 	  return physical_line_box.BaseDirection() == shape_result->Direction();
   592 	}
   593 	
   594 	static Text* AssociatedTextNode(const LayoutText& text) {
(lldb) p shape_result

Comment 2 by xiaoche...@chromium.org, Nov 21

Cc: -xiaoche...@chromium.org
Components: Blink>Editing
Owner: xiaoche...@chromium.org
Status: Assigned (was: Available)

I'll take a look.

Comment 3 by xiaoche...@chromium.org, Nov 21

The long links that we see in Gmail contains <wbr>:

<a href="...">
https://groups.google.com/a/<wbr>chromium.org/d/msgid/blink-
<wbr>
dev/CAM1-CVkcq81FPTJJ%
<wbr>
3DA9e1Kun0aYmYeXgJjaYjC2nAxgcB
<wbr>
MHTgQ%40mail.gmail.com
</a>

When the link is wrapped into lines, selecting cross line boundary results in a selection highlight that ends at a WBR, which doesn't have TextShapeResult. Accessing that results in a null deref.

Comment 4 by xiaoche...@chromium.org, Nov 21

minimal repro:

<div style="width:0">foo<wbr>bar</div>

Selecting across line wrap crashes.

Project Member

Comment 5 by bugdroid1@chromium.org, Nov 24

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/886c74e309489c7019e2a10a2fc27d26792af689

commit 886c74e309489c7019e2a10a2fc27d26792af689
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Sat Nov 24 00:34:06 2018

[LayoutNG] Use the correct function to check fragment direction in selection painting

LayoutSelection's IsBeforeSoftLineBreak() checks a text fragment's
TextShapeResult for the resolved direction, which results in a null deref
if the text fragment is a control fragment (e.g., <wbr>).

This patch changes it to call NGPhysicalFragment::ResolvedDirection()
to fix the issue.

Bug:  907186 
Change-Id: Ifcb6c25eccd96850d9e7df6c5e9631fa4b3b2fb1
Reviewed-on: https://chromium-review.googlesource.com/c/1347616
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610691}
[modify] https://crrev.com/886c74e309489c7019e2a10a2fc27d26792af689/third_party/blink/renderer/core/editing/layout_selection.cc
[modify] https://crrev.com/886c74e309489c7019e2a10a2fc27d26792af689/third_party/blink/renderer/core/editing/layout_selection_test.cc

Comment 6 by xiaoche...@chromium.org, Nov 26

Status: Fixed (was: Assigned)

►

Issue 907186 link

Issue metadata

[LayoutNG] Crash during prepaint walk (for selection?) in gmail.

Issue description

Comment 1 by ikilpatrick@chromium.org, Nov 20

Comment 1 Deleted

Comment 2 by xiaoche...@chromium.org, Nov 21

Comment 2 Deleted

Comment 3 by xiaoche...@chromium.org, Nov 21

Comment 3 Deleted

Comment 4 by xiaoche...@chromium.org, Nov 21

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Nov 24

Comment 5 Deleted

Comment 6 by xiaoche...@chromium.org, Nov 26

Comment 6 Deleted

Sign in to add a comment